Transcript of Team MAGIC Michael Gong Jake Kreider Chris Lugo Kwame Osafoh-Kintanka Wireless Network Security.
- Slide 1
- Team MAGIC Michael Gong Jake Kreider Chris Lugo Kwame
Osafoh-Kintanka Wireless Network Security
- Slide 2
- Why wireless? Wifi, which is short for wireless fi something,
allows your computer to connect to the Internet using magic. -Motel
6 commercial 2
- Slide 3
- but it comes at a price Wireless networks present security
risks far above and beyond traditional wired networks Rogue access
points Evil twins Packet-based DoS Spectrum DoS Eavesdropping
Traffic cracking Compromised clients MAC spoofing Ad-hoc networks
Man-in-the-middle Grizzly bears ARP poisoning DHCP spoofing War
driving IP leakage Wired/wireless bridging 3
- Slide 4
- Cisco Wireless Network Solution The Cisco Wireless Solution
Architecture integrates existing Cisco networks with a robust,
secure suite of wireless products. Agenda: The Cisco Wireless
Network Architecture Cisco Unified Wireless Network, CSA, Cisco
NAC, firewalls, Cisco IPS, and CS-MARS Common wireless threats How
Cisco Wireless Security protects against them 4
- Slide 5
- Todays wireless network 5
- Slide 6
- Cisco Unified Wireless Network CUWN extends the Cisco network
portfolio with wireless-specific solutions for Security Deployment
Management Control issues 6
- Slide 7
- CUWN Architecture Centralized operation and management with
Wireless LAN Controller (WLC) Simplified lightweight wireless
access point operation (LWAP) Traffic tunneled from LWAP to WLC
Consistent policy configuration and enforcement 7
- Slide 8
- CUWN Security Integrated and extended solutions Wireless
intrusion prevention Rogue access point detection & mitigation
Access control Traffic encryption User authentication RF
interference & DoS protection Wireless vulnerability monitoring
Infrastructure hardening 8
- Slide 9
- CSA Cisco Security Agent Full featured agent-based endpoint
protection Two components: Managed client - Cisco Security Agent
Single point of configuration - Cisco Management Center 9
- Slide 10
- CSA - Purpose 10
- Slide 11
- CSA Wireless Perspective 11
- Slide 12
- CSA Combined Wireless Features General CSA features Zero-day
virus protection Control of sensitive data Provide integrity
checking before allowing full network access Policy management and
activity reporting CSA Mobility features Able to block access to
unauthorized or ad-hoc networks Can force VPN in unsecured
environments Stop unauthorized wireless-to-wired network bridging
12
- Slide 13
- Cisco Network Admission Control (NAC) Determines the users,
their machines, and their roles Grant access to network based on
level of security compliance Interrogation and remediation of
noncompliant devices Audits for security compliance 13
- Slide 14
- Cisco NAC Architecture 14
- Slide 15
- Cisco NAC Features Client identification Access via Active
Directory, Clean Access Agent, or even web form Compliance auditing
Non-compliant or vulnerable devices through network scans or Clean
Access Agent Policy enforcement Quarantine access and provide
notification to users of vulnerabilities Wireless integration Both
in-band and out-of-band between VLAN and WLAN 15
- Slide 16
- Cisco Firewall Purpose Common first level of defense in the
network & security infrastructure Compare corporate policies
about user network access rights with the connection information
surrounding each access attempt WLAN separation with firewall to
limit access to sensitive data and protect from data loss Firewall
segmentation is often required for regulatory compliance PCI SOX
HIPAA GLBA 16
- Slide 17
- Cisco Firewall Features Integrated approach WLC with Firewall
Services Modules Adaptive Security Appliance Layer 3 routed Mode
Layer 2 bridged Mode Support for virtual contexts to expand
FWSM/ASA capabilities and further segment traffic Multiple contexts
are similar to having multiple standalone devices. Most features
are supported in multiple context mode 17
- Slide 18
- Cisco IPS Designed to accurately identify, classify and stop
malicious traffic Worms, spyware, adware, network viruses which is
achieved through detailed traffic inspection Collaboration of IPS
& WLC simplifies and automates threat detection &
mitigation Institute a host block upon detection of malicious
traffic WLC enforcement to the AP to curtail traffic at the source
18
- Slide 19
- CS-MARS Simplified, centralized management plane Native support
for CUWN components SNMP based integration into WLC & WCS
19
- Slide 20
- Wireless Security Threats 20
- Slide 21
- Rogue Access Points Rogue Access Points refer to unauthorized
access points setup in a corporate network Two varieties: Added for
intentionally malicious behavior Added by an employee not following
policy Either case needs to be prevented 21
- Slide 22
- Rogue Access Points - Protection Cisco Wireless Unified Network
security can: Detect Rogue APs Determine if they are on the network
Quarantine and report CS-MARS notification and reporting Locate
rogue APs 22
- Slide 23
- Cisco Rogue AP Mapping 23
- Slide 24
- Evil Twins Evil Twins, also known as Hacker Access Points, are
malicious APs setup to disguise as legitimate ones Users will
likely not realize they are not connecting to the intended AP Once
connected, they can fall victim to multiple exploits, such as
man-in-the- middle attacks. 24
- Slide 25
- Evil Twins - Protection The Cisco Security Agent (CSA) can
protect against Evil Twins. It can ensure it is connecting to a
company- owned access point. If off-premise, it can force the user
to use VPN. Additionally, rogue APs on campus can be detected. The
network can even bring down the rogue AP using wireless de-auth
packets (a loose form of DoS). 25
- Slide 26
- Wireless DoS Wireless networks are subject to two forms of DoS:
Traditional (packet-based) RF-based (Jamming) Cisco uses Management
Frame Protection to guard against certain packet- based attacks
Cisco WIPS uses dynamic radio resource management to help guard
against jamming attacks 26
- Slide 27
- Traffic Cracking But were secure. MAC Authentication WEP WPA
Close but not even on the network Cisco WCS Layer 1/2/3 protection
Cisco MARS Detection 27
- Slide 28
- Cracking the protection 28
- Slide 29
- Compromised Clients Wifi ThreatSecurity ConcernCSA Feature
Ad-hoc ConnectionsWide-open connections Unencrypted Unauthenticated
Insecure Pre-defined ad-hoc policy Concurrent wired/wifi connection
Contamenating secure wired environment Concurrent wired/wifi
pre-defined policy Disable wifi traffic if wired detected Access to
unsecured wifiMay lack authentication / encryption Risk of traffic
cracking, rogue network devices Location based policies Restrict
allowed SSIDs Enforce stronger security policies 29
- Slide 30
- Guest Wireless Let them on but dont let them on Cisco WCS
30
- Slide 31
- Guest Wifi with Benefits Network segmentation Policy management
Guest traffic monitoring Customizable access portals 31
- Slide 32
- Conclusion 32 Present unparalleled threats The Cisco Unified
Wireless Network Solution provides the best defense against these
threats